Jump to content



Photo

Network security meeting HIPAA/ePHI compliancy?

hipaa network pharmacy ephi phi

  • Please log in to reply
8 replies to this topic

#1 EntryIT

EntryIT

    Resident One Post Wonder

  • Joined: 15-January 14

Posted 15 January 2014 - 20:55

I provide desktop support for a start-up company. The company owns a few pharmacies in the area. Each pharmacy has at least 3-5 computers and are connected to the internet to receive/transmit data providing medical and patient data by software. Right now they are being protected by a router along with Symantec Norton Business class acting as firewall and anti-virus. 

 

My question is, and where we require assistance: is this sufficient for HIPAA/ePHI compliancy? Multiple Google searches provide only very broad and vague information on HIPAA rules & regulations. Do we require hardware firewalls in conjunction with a software firewall/anti-virus? Does anyone have experience in this field or can provide some concrete info in this spectrum?

 

Thanks in advance..




#2 Barney T.

Barney T.

    Debian Linux: I'm Loving It!

  • Tech Issues Solved: 3
  • Joined: 30-August 03
  • Location: Williamsburg, Virginia

Posted 15 January 2014 - 21:06

HIPAA compliance standards can be found HERE and HERE. I deleted the reference to your specific brand as including it is spamming our site. You are required to safeguard patient data and limit access to those who have direct patient care needs. If your software and / or hardware does this and provides sufficient safeguards as listed above, including access from unauthorized intrusions, you will be safe. The method by which you do this is your own choice.

 

Barney

Registered Nurse



#3 vetneufuse

neufuse

    Neowinian Senior

  • Joined: 16-February 04

Posted 15 January 2014 - 21:16

Oh HIPPA, the law that required (well, forced because of the amount of legal we had to understand) us to hire 2 lawyers full time on staff, have a dedicated security officer that goes to jail if we F up, and have to have all our software we create ran through auditing.... what an annoying law in the end.... every single change we make to our network we have to do a "risk assessment" and record our findings... we fall under the strict guidelines because we house VERY confidential data and process it for carriers and hospitals...

 

every year it seems like more strict parts are put into action, use to be "best effort" now its more like you better do it right or else... we just heard of one place that we worked with in the past getting fined $1.5 million for not securing their network well enough... kinda rattled a few people in legal here...



#4 Barney T.

Barney T.

    Debian Linux: I'm Loving It!

  • Tech Issues Solved: 3
  • Joined: 30-August 03
  • Location: Williamsburg, Virginia

Posted 15 January 2014 - 21:21

Well, the law might be annoying, however it also keeps organizations like health insurance companies from illegally obtaining your health records and increasing your rates due to some "condition". I am glad that this safeguard is in place.



#5 vetneufuse

neufuse

    Neowinian Senior

  • Joined: 16-February 04

Posted 15 January 2014 - 21:22

yep, I'm just saying its annoying because of the massive amount of work we have to do to comply

Well, the law might be annoying, however it also keeps organizations like health insurance companies from illegally obtaining your health records and increasing your rates due to some "condition". I am glad that this safeguard is in place.



#6 +theblazingangel

theblazingangel

    Software Engineer

  • Tech Issues Solved: 4
  • Joined: 25-March 04
  • Location: England, UK

Posted 15 January 2014 - 21:28

A couple things that pop into mind from a general security perspective:

1) The data transmission between pharmacies, how is this protected if at all? Are you using an encrypted VPN for this?

2) Is the data that is kept on the machines encrypted? I.e. if these machines were to be stolen, would the data be secure (relatively speaking, depending upon strength of the encryption key & algorithm) or exposed to the thief?



#7 vetneufuse

neufuse

    Neowinian Senior

  • Joined: 16-February 04

Posted 15 January 2014 - 21:37

A couple things that pop into mind from a general security perspective:

1) The data transmission between pharmacies, how is this protected if at all? Are you using an encrypted VPN for this?

2) Is the data that is kept on the machines encrypted? I.e. if these machines were to be stolen, would the data be secure (relatively speaking, depending upon strength of the encryption key & algorithm) or exposed to the thief?

data at rest is suppose to be encrypted yes, but only if not in a secure facility (ie. laptops, desktops etc) if it's on servers that are locked in a secure area that is monitored it's not required to be encrypted just protected...

 

data in motion is suppose to be encrypted all the time (ie: VPN traffic, LAN traffic, P2P traffic, etc)



#8 spenser.d

spenser.d

    Neowinian Senior

  • Joined: 19-December 03

Posted 15 January 2014 - 21:45

data at rest is suppose to be encrypted yes, but only if not in a secure facility (ie. laptops, desktops etc) if it's on servers that are locked in a secure area that is monitored it's not required to be encrypted just protected...
 
data in motion is suppose to be encrypted all the time (ie: VPN traffic, LAN traffic, P2P traffic, etc)


Data at rest isn't always protected however. There are plenty of reports out there of healthcare organization laptops being stolen that contain patient data. As long as the org notifies those affected by the breach appropriately, there usually isn't much recourse (I imagine, or it wouldn't keep happening). One org was caught recently with patient data in Google Docs...

It almost seems irrelevant though if you think about the fact that some freeware EHR vendors sell "deidentified" patient data to other companies (usually pharma). It's been said that it doesn't take much to match that data to the people it belongs to.

#9 vetneufuse

neufuse

    Neowinian Senior

  • Joined: 16-February 04

Posted 15 January 2014 - 21:56

well, like I said, it's suppose to be encrypted, doesn't mean it always is

Data at rest isn't always protected however. There are plenty of reports out there of healthcare organization laptops being stolen that contain patient data. As long as the org notifies those affected by the breach appropriately, there usually isn't much recourse (I imagine, or it wouldn't keep happening). One org was caught recently with patient data in Google Docs...

It almost seems irrelevant though if you think about the fact that some freeware EHR vendors sell "deidentified" patient data to other companies (usually pharma). It's been said that it doesn't take much to match that data to the people it belongs to.